Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


Top White Papers

More on LinuxToday


Advisories, April 29, 2005

Apr 30, 2005, 05:00 (0 Talkback[s])

Mandriva Linux Security Update Advisory


Package name: squid
Advisory ID: MDKSA-2005:078
Date: April 28th, 2005
Affected versions: 10.0, 10.1, 10.2, Corporate 3.0, Corporate Server 2.1


Problem Description:

Squid 2.5, when processing the configuration file, parses empty Access Control Lists (ACLs), including proxy_auth ACLs without defined auth schemes, in a way that effectively removes arguments, which could allow remote attackers to bypass intended ACLs if the administrator ignores the parser warnings. (CAN-2005-0194)

Race condition in Squid 2.5.STABLE7 to 2.5.STABLE9, when using the Netscape Set-Cookie recommendations for handling cookies in caches, may cause Set-Cookie headers to be sent to other users, which allows attackers to steal the related cookies. (CAN-2005-0626)

Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (segmentation fault) by aborting the connection during a (1) PUT or (2) POST request, which causes Squid to access previosuly freed memory. (CAN-2005-0718)

In addition, due to subtle bugs in the previous backported updates of squid (Bugzilla #14209), all the squid-2.5 versions have been updated to squid-2.5.STABLE/9 with all the STABLE9 patches from the squid developers.

The updated packages are patched to fix these problems.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0194
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0626
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0718


Updated Packages:

Mandrakelinux 10.0:
19b0bdb45e358fbccc080e09cf274bca 10.0/RPMS/squid-2.5.STABLE9-1.1.100mdk.i586.rpm
5738f9bf3c36cd6092cca77960580467 10.0/SRPMS/squid-2.5.STABLE9-1.1.100mdk.src.rpm

Mandrakelinux 10.0/AMD64:
fc15ab0245c05d3ee9222caf700da7c7 amd64/10.0/RPMS/squid-2.5.STABLE9-1.1.100mdk.amd64.rpm
5738f9bf3c36cd6092cca77960580467 amd64/10.0/SRPMS/squid-2.5.STABLE9-1.1.100mdk.src.rpm

Mandrakelinux 10.1:
258f532d766624e4f21936fa31150379 10.1/RPMS/squid-2.5.STABLE6-2.4.101mdk.i586.rpm
f4a8b90704f752906ee1de301800eb17 10.1/RPMS/squid-2.5.STABLE9-1.1.101mdk.i586.rpm
b6c79d25d11a58e589af08d0a20807a7 10.1/SRPMS/squid-2.5.STABLE9-1.1.101mdk.src.rpm

Mandrakelinux 10.1/X86_64:
df1d16c47e1fbe579633f26064a7c72e x86_64/10.1/RPMS/squid-2.5.STABLE9-1.1.101mdk.x86_64.rpm
b6c79d25d11a58e589af08d0a20807a7 x86_64/10.1/SRPMS/squid-2.5.STABLE9-1.1.101mdk.src.rpm

Mandrakelinux 10.2:
81780136aa37f1ad1df50101b51914fa 10.2/RPMS/squid-2.5.STABLE9-1.1.102mdk.i586.rpm
e81e7e584f36cc989cfc7c08a18b453c 10.2/SRPMS/squid-2.5.STABLE9-1.1.102mdk.src.rpm

Mandrakelinux 10.2/X86_64:
a8e6b2ebeafcae07a708256455508280 x86_64/10.2/RPMS/squid-2.5.STABLE9-1.1.102mdk.x86_64.rpm
e81e7e584f36cc989cfc7c08a18b453c x86_64/10.2/SRPMS/squid-2.5.STABLE9-1.1.102mdk.src.rpm

Corporate Server 2.1:
8044aed82f158b377ef1f987f14c02da corporate/2.1/RPMS/squid-2.4.STABLE7-2.6.C21mdk.i586.rpm
715494248752557eb0b718f2a4dd34c9 corporate/2.1/SRPMS/squid-2.4.STABLE7-2.6.C21mdk.src.rpm

Corporate Server 2.1/X86_64:
faf3786d2a62f4b4776a79a3d9fe091a x86_64/corporate/2.1/RPMS/squid-2.4.STABLE7-2.6.C21mdk.x86_64.rpm
715494248752557eb0b718f2a4dd34c9 x86_64/corporate/2.1/SRPMS/squid-2.4.STABLE7-2.6.C21mdk.src.rpm

Corporate 3.0:
6afc0bba2ef06f8a50bf3f24b4da9550 corporate/3.0/RPMS/squid-2.5.STABLE9-1.1.C30mdk.i586.rpm
3ae337e1ba1ee16c09bdf0c699b3a754 corporate/3.0/SRPMS/squid-2.5.STABLE9-1.1.C30mdk.src.rpm

Corporate 3.0/X86_64:
8028593f7c4176ce4d5767a653faba3f x86_64/corporate/3.0/RPMS/squid-2.5.STABLE9-1.1.C30mdk.x86_64.rpm
3ae337e1ba1ee16c09bdf0c699b3a754 x86_64/corporate/3.0/SRPMS/squid-2.5.STABLE9-1.1.C30mdk.src.rpm


Bug IDs fixed (see http://qa.mandriva.com for more information):

14209


To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>


Mandriva Linux Security Update Advisory


Package name: perl
Advisory ID: MDKSA-2005:079
Date: April 28th, 2005
Affected versions: 10.0, 10.1, 10.2, Corporate 3.0, Corporate Server 2.1


Problem Description:

Paul Szabo discovered another vulnerability in the rmtree() function in File::Path.pm. While a process running as root (or another user) was busy deleting a directory tree, a different user could exploit a race condition to create setuid binaries in this directory tree, provided that he already had write permissions in any subdirectory of that tree.

The provided packages have been patched to resolve this problem.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0448


Updated Packages:

Mandrakelinux 10.0:
88055e94b92e108fbc1428fcaf4f265a 10.0/RPMS/perl-5.8.3-5.4.100mdk.i586.rpm
517b94573fc17099711ef317a86710cc 10.0/RPMS/perl-base-5.8.3-5.4.100mdk.i586.rpm
5668ed0c2cd80c190d951db58c6e057a 10.0/RPMS/perl-devel-5.8.3-5.4.100mdk.i586.rpm
d0368301ec94bc79e764f65c19ca052c 10.0/RPMS/perl-doc-5.8.3-5.4.100mdk.i586.rpm
9e45412135477515a4d14ede715f260a 10.0/SRPMS/perl-5.8.3-5.4.100mdk.src.rpm

Mandrakelinux 10.0/AMD64:
083124ec0b033d2712c5305981e6b312 amd64/10.0/RPMS/perl-5.8.3-5.4.100mdk.amd64.rpm
9f0686791ecdbc0ce1068f87ba5fb6ce amd64/10.0/RPMS/perl-base-5.8.3-5.4.100mdk.amd64.rpm
10e735961919dca461355c42a417aed7 amd64/10.0/RPMS/perl-devel-5.8.3-5.4.100mdk.amd64.rpm
9c28ffc8b1858976165f783dce671210 amd64/10.0/RPMS/perl-doc-5.8.3-5.4.100mdk.amd64.rpm
9e45412135477515a4d14ede715f260a amd64/10.0/SRPMS/perl-5.8.3-5.4.100mdk.src.rpm

Mandrakelinux 10.1:
117750db774283de7e3e235bc3c4d42b 10.1/RPMS/perl-5.8.5-3.4.101mdk.i586.rpm
fb69728a57b920468f7bc6cf7ad63b1d 10.1/RPMS/perl-base-5.8.5-3.4.101mdk.i586.rpm
5f259fde80fa6837c2073c85e361c964 10.1/RPMS/perl-devel-5.8.5-3.4.101mdk.i586.rpm
8c0404b48594e4da2450d467e2300463 10.1/RPMS/perl-doc-5.8.5-3.4.101mdk.i586.rpm
730a69a3d1890e642ab5fb9eec3e07f3 10.1/SRPMS/perl-5.8.5-3.4.101mdk.src.rpm

Mandrakelinux 10.1/X86_64:
30d5fbf60a0093f8c45b93800addf55b x86_64/10.1/RPMS/perl-5.8.5-3.4.101mdk.x86_64.rpm
bfada4d0e25c66316873706eb96d0eec x86_64/10.1/RPMS/perl-base-5.8.5-3.4.101mdk.x86_64.rpm
c72897d8d971558166b1b462c29cacf4 x86_64/10.1/RPMS/perl-devel-5.8.5-3.4.101mdk.x86_64.rpm
aaa017675507c9278fb2246c70e9f5cf x86_64/10.1/RPMS/perl-doc-5.8.5-3.4.101mdk.x86_64.rpm
730a69a3d1890e642ab5fb9eec3e07f3 x86_64/10.1/SRPMS/perl-5.8.5-3.4.101mdk.src.rpm

Mandrakelinux 10.2:
f209fd68a68f9f8c569062a5dd35872d 10.2/RPMS/perl-5.8.6-6.1.102mdk.i586.rpm
c03dd6592f264a0c2abaacff459d358c 10.2/RPMS/perl-base-5.8.6-6.1.102mdk.i586.rpm
9620e5a67db3bd79ede05cdea54d7164 10.2/RPMS/perl-devel-5.8.6-6.1.102mdk.i586.rpm
4a48072953415e0c1a8cd0b0cc954989 10.2/RPMS/perl-doc-5.8.6-6.1.102mdk.i586.rpm
90e755194ecaf253657af0e12f6406b2 10.2/SRPMS/perl-5.8.6-6.1.102mdk.src.rpm

Mandrakelinux 10.2/X86_64:
ad2e519fe3110b139fa7f4eca49a67e1 x86_64/10.2/RPMS/perl-5.8.6-6.1.102mdk.x86_64.rpm
5b2bcd20ceedba59940d74365338dea7 x86_64/10.2/RPMS/perl-base-5.8.6-6.1.102mdk.x86_64.rpm
efe35f5b49981659e7697d6380fceb5e x86_64/10.2/RPMS/perl-devel-5.8.6-6.1.102mdk.x86_64.rpm
cb79d5e241acf0551222b20479e5f5ea x86_64/10.2/RPMS/perl-doc-5.8.6-6.1.102mdk.x86_64.rpm
90e755194ecaf253657af0e12f6406b2 x86_64/10.2/SRPMS/perl-5.8.6-6.1.102mdk.src.rpm

Corporate Server 2.1:
f2c5b48a527c1daf7a11792b7cea1e87 corporate/2.1/RPMS/perl-5.8.0-14.5.C21mdk.i586.rpm
2f3ce6e7795a4e3fb2cd15470f1e8eb1 corporate/2.1/RPMS/perl-base-5.8.0-14.5.C21mdk.i586.rpm
7b39b352cbef408c3f3a46e25dc33e6f corporate/2.1/RPMS/perl-devel-5.8.0-14.5.C21mdk.i586.rpm
5596a918ea2e2365d85f20bd7827bc72 corporate/2.1/RPMS/perl-doc-5.8.0-14.5.C21mdk.i586.rpm
9db02ebc2f5c0d481e7d883747abef06 corporate/2.1/SRPMS/perl-5.8.0-14.5.C21mdk.src.rpm

Corporate Server 2.1/X86_64:
07487d9a3d421136586f7f60bc14dfc4 x86_64/corporate/2.1/RPMS/perl-5.8.0-14.5.C21mdk.x86_64.rpm
4f976b010d5fe0c125f5827d85b7fb3d x86_64/corporate/2.1/RPMS/perl-base-5.8.0-14.5.C21mdk.x86_64.rpm
2855e30bc2e36f1c76ba8a3c6ac9fb66 x86_64/corporate/2.1/RPMS/perl-devel-5.8.0-14.5.C21mdk.x86_64.rpm
07f1b2c8ab3f63960ac25f59929c343c x86_64/corporate/2.1/RPMS/perl-doc-5.8.0-14.5.C21mdk.x86_64.rpm
9db02ebc2f5c0d481e7d883747abef06 x86_64/corporate/2.1/SRPMS/perl-5.8.0-14.5.C21mdk.src.rpm

Corporate 3.0:
dde26b606f041ebbdede036037339a41 corporate/3.0/RPMS/perl-5.8.3-5.4.C30mdk.i586.rpm
7736c7a4aa7ce325d092c7e6d0c797b8 corporate/3.0/RPMS/perl-base-5.8.3-5.4.C30mdk.i586.rpm
276b6caf0710b2f5c2b40416431eb234 corporate/3.0/RPMS/perl-devel-5.8.3-5.4.C30mdk.i586.rpm
ad86f2a2618f7af20e6b976b54b08eaa corporate/3.0/RPMS/perl-doc-5.8.3-5.4.C30mdk.i586.rpm
0d824d973f366d61724a94fd1bd47815 corporate/3.0/SRPMS/perl-5.8.3-5.4.C30mdk.src.rpm

Corporate 3.0/X86_64:
59fd92b1575f82715096780c7a57d940 x86_64/corporate/3.0/RPMS/perl-5.8.3-5.4.C30mdk.x86_64.rpm
2cfec19fc0fb4e5d9270ce69fedaa3eb x86_64/corporate/3.0/RPMS/perl-base-5.8.3-5.4.C30mdk.x86_64.rpm
e428e4d841f0c43a950073853004bf00 x86_64/corporate/3.0/RPMS/perl-devel-5.8.3-5.4.C30mdk.x86_64.rpm
96765e19650443e069f1b6e9a4978704 x86_64/corporate/3.0/RPMS/perl-doc-5.8.3-5.4.C30mdk.x86_64.rpm
0d824d973f366d61724a94fd1bd47815 x86_64/corporate/3.0/SRPMS/perl-5.8.3-5.4.C30mdk.src.rpm


To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>


Mandriva Linux Security Update Advisory


Package name: xpm
Advisory ID: MDKSA-2005:080
Date: April 28th, 2005
Affected versions: 10.0, 10.1, 10.2, Corporate 3.0, Corporate Server 2.1


Problem Description:

The XPM library which is part of the XFree86/XOrg project is used by several GUI applications to process XPM image files.

An integer overflow flaw was found in libXPM, which is used by some applications for loading of XPM images. An attacker could create a malicious XPM file that would execute arbitrary code via a negative bitmap_unit value if opened by a victim using an application linked to the vulnerable library.

Updated packages are patched to correct all these issues.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0605


Updated Packages:

Mandrakelinux 10.0:
8f19344086b5361b30766c9085ee2ea2 10.0/RPMS/libxpm4-3.4k-27.4.100mdk.i586.rpm
7a7b882e901bcf7b24d182ccfeb7fef2 10.0/RPMS/libxpm4-devel-3.4k-27.4.100mdk.i586.rpm
6a5874bad1fb6105baf8c26dca1bf7c2 10.0/SRPMS/xpm-3.4k-27.4.100mdk.src.rpm

Mandrakelinux 10.0/AMD64:
fce3bee71945e407d81abfdaf8f8cbdc amd64/10.0/RPMS/lib64xpm4-3.4k-27.4.100mdk.amd64.rpm
22eb44cb9c8958fd3dab0d5ed9fb9418 amd64/10.0/RPMS/lib64xpm4-devel-3.4k-27.4.100mdk.amd64.rpm
6a5874bad1fb6105baf8c26dca1bf7c2 amd64/10.0/SRPMS/xpm-3.4k-27.4.100mdk.src.rpm

Mandrakelinux 10.1:
2f0250adcad3d9845225cf4b4d9ce8ef 10.1/RPMS/libxpm4-3.4k-28.3.101mdk.i586.rpm
e171fdf9b23986e58c1fdcac292f70d0 10.1/RPMS/libxpm4-devel-3.4k-28.3.101mdk.i586.rpm
603d509c51b30617f2c89a038f666872 10.1/SRPMS/xpm-3.4k-28.3.101mdk.src.rpm

Mandrakelinux 10.1/X86_64:
1930678575cb695ecbd5cf4efd60e9a6 x86_64/10.1/RPMS/lib64xpm4-3.4k-28.3.101mdk.x86_64.rpm
a92856072a02d1efd23ba5a83dcfa766 x86_64/10.1/RPMS/lib64xpm4-devel-3.4k-28.3.101mdk.x86_64.rpm
603d509c51b30617f2c89a038f666872 x86_64/10.1/SRPMS/xpm-3.4k-28.3.101mdk.src.rpm

Mandrakelinux 10.2:
fc4e22a6f1b2441b51eb79dfc26ae74c 10.2/RPMS/libxpm4-3.4k-30.1.102mdk.i586.rpm
db6d27e6d96a0fa7a696bac650ef78fe 10.2/RPMS/libxpm4-devel-3.4k-30.1.102mdk.i586.rpm
cb1212dbc9082e3a9dfd912ea35f7ed4 10.2/SRPMS/xpm-3.4k-30.1.102mdk.src.rpm

Mandrakelinux 10.2/X86_64:
7ba435fc44bf3904dbf42e4b784d0184 x86_64/10.2/RPMS/lib64xpm4-3.4k-30.1.102mdk.x86_64.rpm
bd578228b038ca5df10ad9efd70d20ce x86_64/10.2/RPMS/lib64xpm4-devel-3.4k-30.1.102mdk.x86_64.rpm
cb1212dbc9082e3a9dfd912ea35f7ed4 x86_64/10.2/SRPMS/xpm-3.4k-30.1.102mdk.src.rpm

Corporate Server 2.1:
2925cd9c64536b76c9eefb2e9987029b corporate/2.1/RPMS/libxpm4-3.4k-21.4.C21mdk.i586.rpm
7cb0cadd2e1934f9627637416a9284ba corporate/2.1/RPMS/libxpm4-devel-3.4k-21.4.C21mdk.i586.rpm
03f77ccacff7731bc38dd8a124f29f8d corporate/2.1/SRPMS/xpm-3.4k-21.4.C21mdk.src.rpm

Corporate Server 2.1/X86_64:
037361e9e4d51661fb7acd367977c16f x86_64/corporate/2.1/RPMS/libxpm4-3.4k-21.4.C21mdk.x86_64.rpm
a44a23d0525cc8b3a589082597f86e94 x86_64/corporate/2.1/RPMS/libxpm4-devel-3.4k-21.4.C21mdk.x86_64.rpm
03f77ccacff7731bc38dd8a124f29f8d x86_64/corporate/2.1/SRPMS/xpm-3.4k-21.4.C21mdk.src.rpm

Corporate 3.0:
4872d5deec449ef844e478359d82ab18 corporate/3.0/RPMS/libxpm4-3.4k-27.4.C30mdk.i586.rpm
ddd7569f50b68fa4cb621957f1ed56b6 corporate/3.0/RPMS/libxpm4-devel-3.4k-27.4.C30mdk.i586.rpm
30a7df84d2bda0065f895ec5b6de3eeb corporate/3.0/SRPMS/xpm-3.4k-27.4.C30mdk.src.rpm

Corporate 3.0/X86_64:
e5a369fa603516b674db9f2a6afc083b x86_64/corporate/3.0/RPMS/lib64xpm4-3.4k-27.4.C30mdk.x86_64.rpm
d9f11eeef73c93d0a36b311986306126 x86_64/corporate/3.0/RPMS/lib64xpm4-devel-3.4k-27.4.C30mdk.x86_64.rpm
30a7df84d2bda0065f895ec5b6de3eeb x86_64/corporate/3.0/SRPMS/xpm-3.4k-27.4.C30mdk.src.rpm


To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>